MAAS

Merge lp:~julian-edwards/maas/1.2-xss-bug-1251336 into lp:maas/1.2

  1. 1.2-xss-bug-1251336
  2. Merge into 1.2
Proposed by Julian Edwards
Status: Merged
Approved by: Julian Edwards
Approved revision: no longer in the source branch.
Merged at revision: 1387
Proposed branch: lp:~julian-edwards/maas/1.2-xss-bug-1251336
Merge into: lp:maas/1.2
Diff against target: 66 lines (+16/-4)
3 files modified
src/maasserver/api.py (+1/-2)
src/maasserver/tests/test_api.py (+12/-1)
src/maasserver/views/combo.py (+3/-1)
To merge this branch: bzr merge lp:~julian-edwards/maas/1.2-xss-bug-1251336
Reviewer Review Type Date Requested Status
Julian Edwards (community) Approve
Review via email: mp+205071@code.launchpad.net

Commit message

Fix XSS in API calls that have no valid operation.

To post a comment you must log in.
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Selfing. Approved on trunk.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/maasserver/api.py'
2--- src/maasserver/api.py 2013-10-04 13:47:09 +0000
3+++ src/maasserver/api.py 2014-02-06 03:16:07 +0000
4@@ -109,7 +109,6 @@
5 from django.http import (
6 Http404,
7 HttpResponse,
8- HttpResponseBadRequest,
9 QueryDict,
10 )
11 from django.shortcuts import (
12@@ -307,7 +306,7 @@
13 signature = request.method.upper(), request.REQUEST.get("op")
14 function = self.exports.get(signature)
15 if function is None:
16- return HttpResponseBadRequest(
17+ raise MAASAPIBadRequest(
18 "Unrecognised signature: %s %s" % signature)
19 else:
20 return function(self, request, *args, **kwargs)
21
22=== modified file 'src/maasserver/tests/test_api.py'
23--- src/maasserver/tests/test_api.py 2013-07-25 14:26:49 +0000
24+++ src/maasserver/tests/test_api.py 2014-02-06 03:16:07 +0000
25@@ -280,6 +280,17 @@
26 self.assertThat(observed, MatchesListwise(expected))
27
28
29+class TestXSSBugs(TestCase):
30+ """Tests for making sure we don't allow cross-site scripting bugs."""
31+
32+ def test_invalid_signature_response_is_textplain(self):
33+ response = self.client.get(
34+ reverse('nodes_handler'),
35+ {'op': '<script>alert(document.domain)</script>'})
36+ self.assertIn("text/plain", response.get("Content-Type", None))
37+ self.assertNotIn("text/html", response.get("Content-Type", None))
38+
39+
40 class TestStoreNodeParameters(TestCase):
41 """Tests for `store_node_power_parameters`."""
42
43@@ -591,7 +602,7 @@
44 })
45
46 self.assertEqual(httplib.BAD_REQUEST, response.status_code)
47- self.assertIn('text/html', response['Content-Type'])
48+ self.assertIn('text/plain', response['Content-Type'])
49 self.assertEqual(
50 "Unrecognised signature: POST None",
51 response.content)
52
53=== modified file 'src/maasserver/views/combo.py'
54--- src/maasserver/views/combo.py 2012-06-29 10:04:44 +0000
55+++ src/maasserver/views/combo.py 2014-02-06 03:16:07 +0000
56@@ -95,7 +95,9 @@
57 return HttpResponseRedirect(
58 "%s%s" % (default_redirect, fnames[0]))
59 else:
60- return HttpResponseBadRequest("Invalid file type requested.")
61+ return HttpResponseBadRequest(
62+ "Invalid file type requested.",
63+ content_type="text/plain; charset=UTF-8")
64 content = "".join(
65 [content.decode(encoding) for content in combine_files(
66 fnames, location, resource_prefix='/', rewrite_urls=True)])

Subscribers

People subscribed via source and target branches

to status/vote changes: